Protect Your WordPress Blog From This Chrome Font Attack

Gavin Phillips 02-03-2017

Do you run a personal blog? Perhaps you’re part of the ongoing blogging boom. If you can write well, take beautiful pictures, and capture the mind of audience, there is a lot of money in blogging. It depends on what you’re blogging about, too. However, whether you’ve 10 million monthly views or just 10, your blog may still be a target for hackers.


The relative ease of hacking some blogging platforms make them a low-hanging fruit for some unscrupulous individuals. Additionally, there are numerous hacking methods for the most popular blogging platforms, such as WordPress. I’m going to show you some of the most common, as well as a relatively new play from the hacker’s handbook.

Chrome Font Social Engineering

A number of websites have been compromised with a hack that alters the visual appearance of the text. The attack uses JavaScript to change Your New Security Threat for 2016: JavaScript Ransomware Locky ransomware has been worrying security researchers, but since its brief disappearance and return as a cross-platform JavaScript ransomware threat, things have changed. But what can you do to defeat the Locky ransomware? Read More the text rendering, causing it to display a garbled mix of symbols in place of the site content. The user is then prompted to update the “Chrome language pack” in an effort to fix the problem.

The infection process is quite straightforward. If a potential victim meets a set of criteria, including target country and language, and User-Agent (confirmed as Chrome running on Windows), the JavaScript is inserted into the page. Next, one of two potential dialogue boxes then appear, explaining that “The ‘HoeflerText’ font wasn’t found,” along with a single option: Update.

The dialogue boxes are carefully constructed lures, but I’ll elaborate on that in a moment.

Protect Your WordPress Blog From This Chrome Font Attack ProofPoint Chrome Font Not Found


Selecting Update automatically downloads the infected file. Of course, if the user doesn’t execute the file, the computer remains free of infection. However, the script creates a fake issue, luring the user into interacting with the dialogue box. It is a classic social engineering ploy, guaranteed to ensnare numerous users.

What Is the File Hiding?

This exploit has been on the radar since December 2016, when security researcher @Kafeine was made aware of a compromised website. The website in question was delivering the infected payload to users. “Next-generation cybersecurity company” ProofPoint shared a detailed teardown and analysis of the hack and potential exploit.

Their analysis details an extensive and dynamic threat ecosystem that targets multiple countries. The payload delivers a type of advertising fraud malware, known as Fleercivet. Ad-fraud malware is used to redirect users to websites, then automatically click on the adverts displayed there. Once installed, the infected system begins to browse the internet of its own accord, in the background.


Why Is This Different?

Social engineering hacks are increasing in frequency How To Protect Yourself From These 8 Social Engineering Attacks What social engineering techniques would a hacker use and how would you protect yourself from them? Let's take a look at some of the most common methods of attack. Read More . This hack is notable for its specific targeting of Chrome users in combination with detailed lures.

The first dialogue box lure informed the user that “The ‘HoeflerText’ font wasn’t found.” To add authenticity to the lure, a box adds details of the supposed current Chrome font pack. Of course, your version will appear outdated, encouraging the user to hit the Update button.

Protect Your WordPress Blog From This Chrome Font Attack Chrome Font Hack Lure 1

The second dialogue box lure contains almost the same text, but uses different formatting, including an image to “assist” the user toward the malicious file.


Protect Your WordPress Blog From This Chrome Font Attack Chrome Font Hack Lure 2

Threat actors are finding it more difficult to infect the number of systems required to remain profitable. Therefore, they are turning to the weakest link in the security chain: humans.

Other Hacks Are Available

There are billions of websites. In February 2017, WordPress powered around 27.5 percent of the web. Joomla, Drupal, Magento, and Blogger combine to power a further 8.9 percent. The sheer number of sites powered by these content management systems makes them a massive target. (If we round the total number of sites on the web to one billion, 364 million of those are powered by one of the above CMS. This is a gross simplification.)

Protect Your WordPress Blog From This Chrome Font Attack W3Tech CMS Trends February 2017
Image Credit: W3Tech


Similarly, the number of sites run by unskilled and amateur webmasters present easy targets for skilled hackers. That said, a large number of professional sites are equally vulnerable Which Websites Are Most Likely to Infect You with Malware? You might think that porn sites, the Dark web or other unsavory websites are the most likely places for your computer to be infected with malware. But you would be wrong. Read More .

Why Did My Blog Get Hacked?

Has your blog been hacked at some point? There are several common reasons why.

Is “ElTest” Coming My Way?

Honestly, who knows? The Chrome font replacement hack has been directly linked to the “ElTest” infection chain. The infection chain is commonly linked to ransomware and exploit kits A History of Ransomware: Where It Started & Where It's Going Ransomware dates from the mid-2000s and like many computer security threats, originated from Russia and eastern Europe before evolving to become an increasingly potent threat. But what does the future hold for ransomware? Read More , and has been active since 2014. There is no clear path for the chain, only to find vulnerable sites and expose their users.

With this in mind, it is always worth considering your site security Protect Yourself With An Annual Security and Privacy Checkup We're almost two months into the new year, but there's still time to make a positive resolution. Forget drinking less caffeine - we're talking about taking steps to safeguard online security and privacy. Read More . Dealing with the points we covered in the last section will go some way to keeping you safe. As we have seen, humans are often the weakest link the security chain. Be that because we forgot to update our CMS or antivirus, or because we were duped by a social engineering attack How to Spot & Avoid 10 of the Most Insidious Hacking Techniques Hackers are getting sneakier and many of their techniques and attacks often go unnoticed by even experienced users. Here are 10 of the most insidious hacking techniques to avoid. Read More , we have to take the responsibility of our cybersecurity seriously.

Have you experienced a blog or website hack? What happened to your website? Did you have enough security in place or were you compromised elsewhere? Let us know your experience below!

Related topics: Fonts, Online Security, Wordpress.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. g p witteveen
    March 3, 2017 at 12:58 am

    So as the person posting articles, what remedies do we take to protect our readers/visitors? A few days ago this article appeared at Ars Technica re: WP gap in security, too,